Self tests for micro-controllers

The increasingly use of microprocessors or microcontrollers in safety-related products for machinery sector such as controls and sensors has led to particular requirements being placed upon their safety. The devices that use this kind of devices are called “safety blocks” in machinery directive 2006/42/EC, safety functions or E/E/PES systems in IEC 61508. The difference with normal devices is that the response of the controller in the event of a fault must be deterministic and the time duration must be under control. In addition the way of dys-functioning of the safety device in hazardous situation must lead to a safe state.

In order to realize the two objectives safety standards defines methods and rules in order to control the failures. These measures are specific and have to be taken during the design of the safety system. This page describes processor tests commonly called SELF TESTS that help to make the safety device more robust in terms of safety-related applications. The measures presented hereafeter are common measures that helps designers to satisfy the requirements of IEC 61508 and EN 13849-1, IEC 62061.

Depending of the safety target these measures enable to reach the required level of safety. However these measures are not always sufficient and they must be combined both with :

  • the system architecture (structure)
  • the functional tests

These measures are possible solutions, and MUST be regarded as examples only.

We identify an other article the PIC microcontroller architecture,  and the different functional blocks that are for PIC16F884 :

functional safety and PIC microcontroller architecture

As defined in right part of the figure, different kind of ressources are used to perform the safety functions

For each of these blocks, a failure can occurs and the consequence when the device is intended to perform a safety function is to loss the safety function.

The different block must be tested. The followings hereafter defines the techniques that can be used in order to test the different ressources. Some of them are defined in standards e.g. IEC 61508, and some others are defined in the relevant litterature.

These kinds of tests are called SELF TESTS, because they test only the HARDWARE ressources of the device and they do not test the function that is programmed inside the device.

The first document for machinery sector that was discussing this subject was a german document from TUV study group on computer safety : MIKROCOMPUTER IN DER SICHERHEITSTECHNIK " Eine Orientierungshilfe für Entwickler und HerSfeÎler H. HÔLSCHER-J. RADER TÜV Rheinland - 1984 :

 

This document was translated in French by INRS under the reference INRS 60 - N° ISSN 0397-4529 LES MICROPROCESSEURS DANS LES TECHNIQUES DE SÉCURITÉ GUIDE POUR CONCEPTEURS ET CONSTRUCTEURS - AVRIL 1986

4.1 Single channel structure

4.2 Single channel structure with Diversified software

4.3 - Two channel structure

4.4 - Fail safe comparator

4.5 - External tested comparator

4.6 - External mutual comparison

4.7 - Internal comparison for single channel structures with diversified software

4.8 - Standard CPU test

4.9 - High level CPU test

4.10 - CPU monitoring by duplication of CPU with hardware comparison

4.11 - Modified chechsum technique for ROM

4.12 - Parity bit technique for ROM

4.13 - Signature calculation for ROM with single word length

4.14 - ROM monitoring with modified Hamming code

4.15 - Signature calculation from ROM with double word length

4.16 - Arithmetic addition of the ROM content 

4.17 - ROM monitoring via duplicate ROM with hardware comparison

4.18 - ROM test via duplicate ROM with software comparison

4.19 - RAM test "checkerboard"

4.20 - RAM test "March"

4.21 - Parity bit technique for RAM

4.22 - RAM test "Walkpat (walking pattern)"

4.23 - RAM monitoring with modified Hamming code

4.24 - RAM test"Galpat l'' 

4.25 - RAM test "Galpat II''

4.26 - transparent "Galpat" Test for RAM 

4.27 - RAM monitoring via duplicate RAM with Hardware comparison

4.28 - RAM monitoring via duplicate RAM with Software comparison

4.29 - Input/output plausibility tests

4.30 - Standard input / output tests and monitoring procedures

4.31 - High levelinput / output tests and monitoring procedures

4.32 - Complementary Tests

4.33 - Time based program monitoring

4.34 - Logic based program monitoring by counting technique

4.35 - Logic based program monitoring by key technique

4.36 - Time diversification

4.37 - Software diversification

4.38 - hardware diversification

4.39 - Certified components

4.40 - Operationally proved components

4.41 - Code inspection

4.42 - Manual Program analysis

4.43 - Diversified Reverse Order analysis


Other sources from IEC 61508 :

Today the reference document for test and safety devices is defined in IEC 61508. This standard defines in part 2 of the standard the requirements and the detailled information are presented in part 7 of the standard.


Other sources from BGIA :

A document was produced by BGIA in Germany to present the way to apply these techniques on a microcontroller : BGIA report 7/2006 - Self-tests for microprocessors incorporating safety functions

Contents
1 Introduction
2 Type of self-tests
2.1 Microprocessor system tests
2.2 Peripherals tests
3 Tests of internal blocks and units of the CPU
3.1 Basic tests 
3.1.1 Program counter test (PC_ TEST.ASM)
3.1.2 Accumulator test (ACC TEST.ASM)
3.1.3 PUSH. POP and RET stack instruction test (PPR_ TEST.ASM)
3.2 Advanced instruction tests
3.2.1 Jump if not zero (JNZ_ TEST.ASM)
3.2.2 Arithmetic instructions (ARI_ TEST.ASM)
3.2.3 Logic instructions (ANL_TEST.ASM. ORL_TEST.ASM, XRL_TEST.ASM and CRS_TEST.ASM)
3.2.4 Logic instructions (BIT TEST.ASM)
3.2.5 Transfer instructions (TRANTEST.ASM) 
4 Memory tests
4.1 Program memory test (ROM_ TEST.ASM)
4.2 Data memory test (XRAMTEST.ASM)
5 Special function register test (SFR_TEST.ASM) 
6 Port tests (IO_TEST.ASM)
7 Main program
8 Concluding remarks
9 References

Other sources from microchip :

Because the application is done for Microchip devices as an example, we will present the mechanisms that are defined in an application note from microchip :AN1229 - Class B Safety Software Library for PIC® MCUs and dsPIC® DSCs

  • CPU Registers
  • CPU program Counter
  • Invariable Memory
  • Variable Memory
  • Clock
  • Interrupt Handling and Execution